The approach to cybersecurity is shifting as the risk of data leaks has become more commonplace. Hedge funds and financial firms also need to ensure they implement consistent and continuous training, monitoring and testing to contend with ever-changing, creative threat actors. This is also critical in view of changing regulatory requirements.
Financial institutions, including hedge funds, have evolved and threat actors are raising the stakes turning ransomware attacks into something even more menacing. By and large, firms now have access to strong backups and disaster recovery software so traditional ransomware attacks are largely ineffectual as they are no longer compelled to pay the ransom to gain access to their files.
“Threat actors are now getting access to environments in various ways. They lay low, carry out a lot of reconnaissance work in the hopes of exfiltrating the data,” explains Rick Mutzel, security & compliance officer at Omega Systems, “This means instead of simply holding access to files for ransom, these criminals are already holding a firm’s data – which is a much bigger problem.”
This brings with it significant regulatory and reputational concerns as a potential breach could be extremely damaging. “Information is now being copied out, forwarded or impersonated. This means not only do firms need to comply with issues around breach notifications, they also need to manage the reputational harm which can come to them,” Mutzel says.
New proposed regulations by the Securities and Exchange Commission mean firms need to disclose any incident within a specific deadline. Regulators would also want clients to be notified, which means the firm may well lose some of its clientele.
Securing end users
Security solutions can help firms mitigate these risks, but Mutzel identifies the critical role end-users play in making sure these solutions actually serve their purpose. “You can put the best lock on your front door and have a state-of-the-art surveillance system, but if you leave your keys in the door or the door open, then they will not stop intruders.
“We can put all these technical controls in place to monitor and secure data and information, but the end user is always going to be a firm’s weakest link. Therefore, end user awareness and user training is the largest risk a business faces.”
Email is a low point of vulnerability for most firms and therefore implementing robust end user training to encourage security awareness and education will help mitigate these kinds of risks. Omega Systems provides such training and Mutzel underscores the importance of continuous assessments and training.
“You can carry out weekly, monthly or quarterly phish testing. The system will generate messages pertaining to the business vertical and send emails to a firm’s users. These can all be tracked and monitored. Users can report a suspect email to our SOC [security operations centre] team. Those who do click on the email are automatically enrolled in remediation training.”
The data can also be used to run reports to be presented to the firm’s board or IT steering committee. This will allow firms to understand what their threat level is and strengthen any areas which may need attention at a given point in time.
Regulation and responsibility
This reporting function is crucial given the increasing scrutiny by regulators. Mutzel outlines: “Traditionally, a yearly assessment or audit was sufficient. Now the methodology has transitioned to this continuous model, where they want to see these assessments happen on a reoccurring basis. Firms will still get an official audit on a yearly basis but the regulator wants to see that internally, firms are continually doing vulnerability scans or reviewing policies and procedures and making adaptations to those based on an incident that may have happened.”
Effectively, regulators want to see cybersecurity policies which are dynamic – ones which are implemented across a business and are also continuously monitored and updated. This also applies to the technology being used for cybersecurity purposes – it needs to be reviewed and adapted according to a firm’s changing requirements
In addition to the growing need for continuous assessment, the shift of responsibility within the cybersecurity landscape is also having an impact on the industry.
What may have started as a siloed area of expertise is now essential to a firm’s future. Mutzel outlines the importance of having a reliable cybersecurity function. How this is tackled depends on the size of the company: “Small institutions may not necessarily have the ability to have a dedicated chief information officer or an internal IT department. So, they may choose to outsource this to a firm like Omega.”
Delegating this means they can get a high-quality end result without having to do much of the heavy lifting.
Larger institutions are more likely to consider bringing the role in-house and that is where, Mutzel stresses the importance of having an expert in an advisory role: “My recommendation is to have that person report directly to someone very senior within the company. This avoids them getting stuck in a lot of red tape and means they can be more adaptive and nimble. The IT director or CIO needs to be in a position where they can get the audience with somebody who can make the actionable items come true. Having that person report directly to the C-suite or the board of directors avoids things falling through the cracks.”
Understanding the risk
From its perspective, Omega has created solutions to support firms, particularly those looking to for support from a third-party partner. This was done in answer to a number of additional compliance and regulatory requirements which are being introduced. Some of these can be hard to meet, especially for smaller companies.
Omega’s Smart Comply service offers a different kind of toolset, where they help clients manage risk by doing data discovery. Mutzel explains: “Part of the regulatory nuance is about understand where the risk is and managing it. An essential part of what we offer is continually monitoring where the data is and what it is, how it’s being accessed etc. Identifying risk does not always mean it needs to be mitigated but firms must know that risk exists in order to make an educated decision on what action to take as a result.”
This is a growing element in Omega’s offer, alongside Smart Secure, which focuses more on the technical elements of cybersecurity provision.